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Abstract 

It is known that any n-variable function on a finite prime field of characteristic p can be expressed as 
a polynomial over the same field with at most p" monomials. However, it is not obvious to determine the 
polynomial for a given concrete function. In this paper, we study the concrete polynomial expressions of 
the carries in addition and multiplication of p-ary integers. For the case of addition, our result gives a new 
family of symmetric polynomials, which generalizes the known result for the binary case p = 2 where the 
carries are given by elementary symmetric polynomials. On the other hand, for the case of multiplication 
of n single-digit integers, we give a simple formula of the polynomial expression for the carry to the next 
digit using the Bernoulli numbers, and show that it has only (n -|- l)(p — l)/2 -|- 1 monomials, which is 
significantly fewer than the worst-case number of monomials for general functions. We also discuss 
applications of our results to cryptographic computation on encrypted data. 


Remark. The authors are notified that the essential part of our Theorem [2] appears (by a different 
approach) in: C. Sturtivant, G. S. Frandsen, The Computational Efficacy of Finite-Field Arithmetic, Theo¬ 
retical Computer Science 112 (1993) 291-309 (see Theorem 9.1(a) and Theorem 11.2 in that paper). The 
authors deeply thank Akihiro Munemasa for the information. The authors would like to keep this preprint 
online for reference purposes. 


1 Introduction 

A well-known but remarkable property of finite prime field Fp (where p is a prime) is that, any function 
that computes a value in Fp from a tuple of elements of Fp can be expressed as a polynomial over Fp. Such 
a polynomial expression of a function can be taken to be of degree at most p — 1 with respect to each 
variable (we call it a “minimal polynomial expression”), hence the polynomial in n variables consists of at 
most p” monomials and has total degree at most n{p — 1) in general. Here we emphasize that, besides the 
general theory that guarantees the existence of the minimal polynomial expression, it is of its own interest 
to determine such a concrete expression of a given function, which may have a significantly smaller number 
of monomials than the general bound p" and/or a significantly lower total degree than the general bound 
n(p— 1). In this paper, we study the explicit polynomial expressions of the carry functions in p-ary arithmetics 
(precisely, addition and multiplication of p-ary integers). We also discuss applications to computation on 
encrypted data studied in cryptology, from which the present work is originally motivated. 
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1.1 Our Problem and Results 


More precisely, we consider the following problem. For a € Fp, we define oz € Z to be the representative 
of the residue class a € Fp = Z/pZ chosen from the subset [p — 1\ := {0,1,... ,p — 1} of Z. We sometimes 
write the addition, the subtraction and the multiplication operators in Z as +z, —z and Xz, respectively, 
for clarifying the distinction between the operators in Z and in Fp. We also use the symbols ^z and fjz 
in a similar manner. Then we define functions <pi: (Fp)" —^ Fp for z = 0,1,... by the following relation for 
Xl, . . . , Xn G Fp. 

n 

X]z(a;j)z = ^z (p*(a;i,... ,a;n)z Xzp*) , ( 1 ) 

j=l i>0 

i.e., the p-ary expression of the integer {xi)z +z-is (..., pi(xi,... ,x„)z, <Po(a;i, •. • ,a;„)z)p. For 

example, ipo{x^y) and (pi{x,y) represent the sum and the carry, respectively, for the p-ary addition of two 
single-digit values x and y (where the p-ary digits are naturally identified with elements of Fp). Similarly, 
we define functions "0^: (Fp)" —>■ Fp for z = 0,1,... by the following relation for xi,..., € Fpi 

n 

(a;j)z = ( 0 ’i(a;i,..., x„)z xzp*) , ( 2 ) 

j=l 2>0 

i.e., the p-ary expression of the integer (xi)z Xz • • • Xz(a:„)z is (... ,'0i(xi,..., x„)z, ■0o(a;i, •. • ,x„)z)p. In 
this setting, our problem is to determine the concrete minimal polynomial expressions of the functions pi 
and 01 . We note that, the definitions of ipi and ipi imply immediately that 


Po{xi ,... ,x„) = xi H- \-Xn and 0 o(a;i, •. • ,x„) = xi • • • x„ 

(we emphasize that the right-hand sides are computed in Fp rather than Z). In the following argument, we 
focus on the other cases when z > 1. We also note that, when p = 2, we have 0i = 0 for any z > 1 (since 
now (xj)z G {0,1}). In the following argument, we assume p > 2 for the case of multiplication operators. 

For the carry functions pi in the addition operators, when p = 2, a simple solution of the problem 
using elementary symmetric polynomials has been derived, e.g., by Boyar, Peralta and Pochuev [1] (see also 
Example [1] in Section |31) . We extend the result to the case of other primes p and determine the minimal 
polynomial expressions of the functions pi, by using classical Lucas’ Theorem in elementary number 
theory on congruent relations between some binomial coefficients. Precisely, we prove the following result 
in Section |3l To state the result, we introduce a notation; for a positive integer m and a (not necessarily 
reduced) fraction a = a/[3 € Q with a,/3 € Z and gcd(/3, m) = I, we define = a ■ I3~^ G Z/mZ where 
means the inverse of /3 in Z/mZ. For example, (5/66)^^^ = 5 • 5 = 4 G F 7 since 66 = 3 (mod 7) and 
3-5 = 1 (mod 7). We note that is independent of a choice of such an expression a/P of a. Then the 
result is as follows: 

Theorem 1. For any index i >0, the minimal polynomial expression of pi is given hy 

" / I \ ip) 

Pi(xi,...,Xn) = n XT - I) • • • {Xj - dj + I) 

j=l 

(see above for the notation ), where the sum in the right-hand side is taken over all the [p— l]-restricted 
compositions (di,..., d„) o/p® of length n, that is, tuples of di ,..., (i„ G [p — 1] with di dn = p^■ 

The polynomial in Theorem [T] has total degree at most p*, which is significantly lower than the above- 
mentioned bound n(p—1) in many cases (note that, since (xi)z +z ■ ■ • +zixn)z < n{p—l) for any xi,..., x„ G 
Fp, the definition of (pi implies that pi = 0 unless p* < n{p — I)). The number of the terms is given by the 
extended binomial coefficients, namely, it is equal to the coefficient of in the polynomial (I -I- X + • • • + 
X^’"!)". As well as the known case p = 2 , our polynomials for the case p > 2 are symmetric polynomials 
due to the symmetry of the addition. On the other hand, in contrast to the case p = 2, these symmetric 
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polynomials for p > 2 are somewhat complicated and no simple expressions in terms of famous generating 
families of symmetric polynomials (such as the elementary symmetric polynomials) are found so far. Hence, 
this result yields a new family of symmetric polynomials; detailed studies of their properties are left as a 
future research topic. 

Regarding the related work, we note that, the proof in the above-mentioned previous work [T] is specialized 
to the case p = 2 and is not straightforwardly applicable to a general p. On the other hand, for the case 
p > 2, the minimal polynomial expression of the carry y) to the next digit for the addition of two p-ary 
values was recently derived by the third author and Kurosawa [7]; but their proof is based on a case-by- 
case argument depending on the fact that the number of added values is two, and is not straightforwardly 
applicable to a general case either. Our proof for the general case is different from the two previous results. 

On the other hand, for the carry function tpi to the next digit in the multiplication operators with p > 2 
(note that the case p = 2 is trivial, as mentioned above), we determine a formula for the minimal polynomial 
expression of ipi using the Bernoulli numbers. (The other carry functions ipi to higher digits, i.e., with i > 2, 
are not considered in this paper and are left as a future research subject.) This result also yields another new 
family of symmetric polynomials. More precisely, we prove the following result; here we use the convention 
Bi = —1/2 (rather than Bi = 1/2) for the Bernoulli numbers Bg, i.e., t/(e‘ — 1) = '^rn>o /mV. 

Theorem 2. Let p he an odd prime. Then the minimal polynomial expression o/^i(a;i,... ,x„) is given by 


■01 (Xi, ...,Xn)=Xi 


4'(xi • • - Xn) - y / 4'(xj) + {n- l)^'(l) 




) 


where 'k(t) is a polynomial defined by 


p-2 

*(<) = E 

2=1 


Bp—l—i 


(p) ( p ~ 3)/2 

E 

2=1 


p —1 — 2i 


^p — 1 — i 

(see above for the notation for a € QJ. We also have 

d/(l) = (n;p)<P> = + 


ip) 


.2i I P 


+ 


(P) 


where Wp = ((p — 1)! -I- l)/p is Wilson’s quotient. 

We note that, although pi and ipi in Theorems [T] and [2] look very different, these symmetric functions 
are related by ~VV,y) = V'i(x, y) + pi(xp, y) which is obvious from their meanings. We emphasize that, 
the carry function 'i/’i(xi,..., x„) for the case of n values is expressed as a sum of only (n-|-l)(p — l)/2-|-l 
monomials, which is much fewer than the above-mentioned general bound p". The number of monomials in 
"01 is decreased further for some p; for example, the term (n — l)dr(l) in ipi vanishes if iCp = 0 (mod p), i.e., 
p is an Wilson prime. Examples of such primes are p = 5, 13 and 563, while it is still open whether or not 
Wp = 0 (mod p) for some other prime p. 


1.2 Motivation from Cryptology 

Here we explain the motivation of the present work from cryptology. In the recent research area of cryptology, 
one of the most intensively studied topics is fully homomorphic encryption [FHE) [5], which is an encryption 
scheme that enables “computation on encrypted data”. For example, in an FHE scheme recently proposed 
by the third author and Kurosawa [7] , for any given ciphertexts Ci, C2 which are encryption of (unknown) 
plaintexts mi,m 2 S Fp, respectively, new ciphertexts corresponding to plaintexts mi+m 2 € Fp and mi-m 2 G 
Fp can be generated from ci, C2 and some public parameters only, without knowing the secret plaintexts 
mi and m 2 . In other words, one can perform the addition and the multiplication operators for some 
data in an encrypted form while keeping the data secret. By the fact on the polynomial expressions of 
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functions mentioned above, this functionality is enough for generating a ciphertext corresponding to plaintext 
/(mi, m2) G Fp for an arbitrary function /. This property gives rise to a problem of designing a concrete 
and efficient algorithm to compute the value of a given function over Fp by combining the addition and the 
multiplication only. From the point of view, the results of this paper enable us to implement addition and 
multiplication of arbitrary-precision p-ary integers, where each digit of the integers is encrypted by the FHE 
scheme in |7]. Namely, for example, to calculate the carry in an addition of encrypted digits cci,... ,a:„, we 
compute the polynomial in Theorem [3] below where the addition and the multiplication in Fp are replaced 
with the above-mentioned corresponding operations for the ciphertexts (note that subtraction operators in 
the polynomial over the finite field Fp can be replaced with suitable addition operators). Such a concrete 
result, beyond just a theoretical possibility of such computation, is also new in the area of cryptology. 

Acknowledgements. 

The authors thank Kaoru Kurosawa, and the members of Shin-Akarui-Angou-Benkyo-Kai, especially Shota 
Yamada, Keita Emura and Goichiro Hanaoka, for their precious comments on this work. The authors also 
thank Go Yamashita for his insightful comments on this work, which yielded Remarks [1] and [5] and the 
Appendix. 


2 Preliminaries 

We summarize some notations and terminology used in this paper. Eor any proposition P{x) for an object 
X, let x[F(a;)] denote the characteristic function of P{x), defined by 

x[P{x)] = 1 if P{x) is true, x[P(a;)] = 0 if P{x) is false. 

Let p denote a prime number. As mentioned in the Introduction, for a G Fp, we define oz G Z to be the 
representative of the residue class a G Fp = Z/pZ chosen from the subset [p — 1] := {0,1,... ,p — 1} of Z. 
We sometimes write the addition, the subtraction and the multiplication operators in Z as -|-z, —z and Xz, 
respectively, for clarifying the distinction between the operators in Z and in Fp. We also use the symbols 
and Hz in a similar manner. For a polynomial (p{xi,... ,Xn), let degp denote the total degree of p, 
and let deg^.^ tp denote the degree of p with respect to the variable Xi. 

For a function /: (Fp)" —>■ Fp, we say that a polynomial p{xi ,..., x„) over Fp is a polynomial expression 
of /, if (p{xi ,..., Xn) = fixi ,..., Xn) for every tuple (xi,..., x„) G (Fp)". The following fact is well-known; 
due to its importance in this paper, we give a proof of the fact for the sake of completeness. 

Proposition 1. For any funetion /: (Fp)" —>■ Fp, there exists a polynomial expression p of f which has 
degree at most p — 1 with respect to each variable. Moreover, such a polynomial p is unique. 

Proof. For the existence, for any a = (oi,... ,a„) G (Fp)", Fermat’s Little Theorem implies that the poly¬ 
nomial expression pa of the function x[x = a] (x = (xi,..., x„)) is given by Pa{x) = nr=i(l -{xi-ai)P 1). 
Then the polynomial expression of a general / is given by p(x) = X)aG(F )" ‘Pa(,x)f{a). 

For the uniqueness, it suffices to consider the case of the zero function / = 0. Assume, for the contrary, 
that there is such a non-zero polynomial p. When n = 1, this contradicts the polynomial remainder theorem. 
When n > 2, by focusing on a non-zero coefficient (belonging to Fp[xi,... ,Xn-i]) of some power of Xn in 
p G Fp[xi,..., x„_i][x„], the coefficient must be a polynomial expression of the zero function, therefore the 
argument is reduced to the case of smaller n. Hence Proposition [T] holds. □ 

We call the unique polynomial expression of the function / as in Proposition [T] the minimal polynomial 
expression of /. Then the following property also holds: 

Proposition 2. For any function f: (Fp)" —>■ Fp, the minimal polynomial expression p of f has the mini¬ 
mum total degree among all polynomial expressions of f. 
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Proof. For any polynomial expression i/) of /, if deg^.. > p for some variable then ip can be converted to 
another polynomial expression of / of lower degree with respect to Xi by replacing Xi^ with since = a 
for every a € Fp by Fermat’s Little Theorem. Iterating the process, ip can be converted to the minimal 
polynomial expression of /, which is equal to p by the uniqueness property in Proposition [1] Now the 
conversion process does not increase the total degree, therefore we have degt/? < degip. Hence Proposition [5] 
holds. □ 

We note that the minimal polynomial expression of any symmetric function is a symmetric polynomial 
owing to the uniqueness property, since any permutation of the variables in the polynomial also yields such 
a polynomial expression of the same function. For any function over Fp, we often identify the minimal 
polynomial expression of the function with the function itself unless some ambiguity occurs. 

Now we introduce useful notations to regard some rational numbers as elements of Fp. For a positive 
integer m and a (not necessarily reduced) fraction a = a/fd G Q with a, /3 £ Z and gcd(/3, m) = 1, we define 

a^^'> =a-j3-^G IlmL 

where means the inverse of /3 in Z/mZ. For example, (5/66)^^^ = 5 • 5 = 4 £ F 7 since 66 = 3 (mod 7) 
and 3-5 = 1 (mod 7). We note that is independent of a choice of such an expression a/(3 of a. This 
implies that the map a 1 —>■ is a ring homomorphism to Z/mZ from the ring of rational numbers that 

can be expressed as a fraction a/(3 with a,l3 G Z and gcd(/3,m) = 1. We restate this property for the sake 
of reference. For any polynomial F{xi, ..., Xn) over Q in which all coefficients can be expressed as fractions 
with denominators being coprime to m, we define (xi, ..., Xn) to be the polynomial over Z/mZ obtained 
by applying the map a 1 —to every coefficient. Then we have the following, which we will use in our 
argument several times: 

Lemma 1. Let ai,..., a„ G Q, let F{xi, ... , x„) be a polynomial over Q, and suppose that all of ai,..., a„ 
and all coefficients in F can he expressed as fractions with denominators being coprime to m. Then we have 
F(m.) ,..., = F{ai ,..., (see above for the notations). 


3 Polynomial Expressions of Carries for Addition 

In Section EH we determine the minimal polynomial expression of the function ipi{xi,... ,Xn) that yields 

the carry to the i-th digit in the integer addition {xi)z+i, - \-i,{xn)i. (see (P) in the Introduction for the 

precise definition of pi). Then in Section [3.21 we discuss algorithms for addition of p-ary integers where each 
step is composed of polynomial evaluations. 


3.1 The Results 

Here we determine the minimal polynomial expressions of the functions pi dehned above. Note that 
Pq{xi, ..., Xn) = Ej=i ®'p)i while we have pi = 0 if n(p — 1) < pL Our argument below is based on 

Lucas’ Theorem [5] in elementary number theory (see e.g.. Exercise 6 .a of Chapter 1 in [5]): 

Proposition 3 (Lucas’ Theorem [5]). Let a = (gm ■ ■ ■ aiao)p and b = (Iim ■ ■ ■ bibQ)p be p-ary expressions of 
integers a, 6 > 0, where the leading digits are allowed to be zero. Then we have 




(mod p) , 


where we define (j,) =0 if a' < b'. 

Then we have the following result (restatement of Theorem P in the Introduction): 
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Theorem 3. For any index i >0, the minimal polynomial expression of ipi is given hy 

" / I \{p) 

ipi{xi,...,Xn)= n hri - 1) • • • {Xj - dj + 1) 

(see Section[^ for the notation for a S Q^, where the sum in the right-hand side is taken over all 
the [p — \]-restricted compositions (c?i,..., dn) of p'' of length n, that is, tuples of di,... ,dn S [p — 1] with 
di + • • • + = p*. 

Proof. First, we have 

, N _ /(xi)z+z-hz(a:„)z\ / , n /o^ 

tpi{xi,...,Xn)l.= I ^ j^V P* / ^ 

by Proposition [3] applied to a = (xi)z+z • • •+z(a;ri)z and b = p^ (i.e., bi = 1 and bi' = 0 for i' ^ i). 
The binomial coefficient in the right-hand side is equal to the number of possible choices of p* objects from 

(a;i)z+z-l-z(xn)z objects. We divide the (xi)z-l-z-l-z(a;ra)z objects into n blocks of (xi)z objects, 

(a; 2 )z objects, ..., (x„)z objects, and for each choice of the p* objects, we write the number of objects chosen 
from the h-th block as dh- Then the values di ,... ,d„ satisfy that S [p — 1] (since {xh)i < P — 1) and 
di + • • • + dn = Pb and we have 


/ (a;i)z +z- \-i{xn)i 

V P* 


E n 

j=l 




where the sum is taken over all tuples (di,..., d„) as above. Moreover, we have 


(xjh 


(p) 


ixj)ziixj)i, -Z 1) • ■ • -zdj -bz 1) 


d,! 


(p) 


(p) 


= ( ^ ) - !)■■■ {xj - dj -b 1) . 


Since (oz)^^^ = a for any a € Fp, the claim of Theorem [3] follows by summarizing these arguments. 


□ 


Remark 1. The property ([3]) in the proof above can be also derived by comparing the coefficients of the 
monomial in the leftmost and the rightmost sides of the following equality for polynomials over Fpi 

_j_ ^^(a:i)z+z - |-z(a:n)z = _j_ ^'^Vo{xi,...,Xn)i,+zipi{xi,...,Xn)l Xz P -t-Z ‘P2(xi ,...,x„)z, XzP^-t - 

_ -(- J{'j‘Po(xi,...,x„)z^^ _j_ J^jipi(xi,...,x„)z XzP(^Y -(- j¥’ 2 (a:i,...,a:„)z Xzp"^ . . . 

= (1 -b -b -b • • • (mod p) 


(since 0 < ipj{xi,..., Xn)i < p — 1 for each index j). We note that Lucas’ Theorem itself can be also proven 
by a similar argument. 

Example 1. When p = 2, the indices di,..., d„ in the statement of Theorem [3] are taken in such a way that 

di,..., d„ G {0,1} and di H-bd„ = pb Then, by setting S = {j G {1,..., n} | dj = 1}, Theorem |3] implies 

that 

(pi{xi,...,Xn)= ^ = e 2 >(a;i,... ,a:„) , 

SC{l,...,n},|S|=2“ieS 

i.e., ipi = 62 ^, the elementary symmetric polynomial of degree 2*. This coincides with the result by Boyar, 
Peralta and Pochuev [1] mentioned in the Introduction. 
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Example 2. When p = S, the following expressions of the first three symmetric polynomials ipi in terms 
of some famous generating families of symmetric polynomials are calculated by using the software Sage, 
where m\, ej and s\ denote the monomial symmetric polynomials, elementary symmetric polynomials and 
Schur polynomials, respectively. Here, some relations between these polynomials owing to the fact that the 
coefficient field is F 3 instead of Q are utilized; e.g., we have mii 3 i = 2 mi 2 = —mi 2 as polynomials over F 3 . 


ipo = mil = ei 


ipi = mi 3 — mii2i — mi 2 = 63 — 6261 — 62 = —S1121 ~ 


ip2 — TfLiS — 7Tli8 — — TTZ-^e — Tn-\52^ — TTl\b Tni422 — Tn\42i — 1TI\32^ H" Tfi\223 Tn\i2^ 

= eg + egei — 6762 + ey — 6563 — e^ei — 65 + 6564 + 6563 — 6564 — 65 

= (S 49 — Si 522 + 5112“*) + (si® "b 'S 4621 + Si 422 + 5122®) + (”' 84521 ) + (846 — S 4421 ) + ( —S 45 ) . 

We give an observation for the result of Theorem[3l For a tuple d= (dr,..., d„) of non-negative integers, 
let 

n 

r^-<a: 4 ,..., Xn) = Xj{xj - !)■■■ {xj - dj + 1 ) . 

i=i 

Then it is straightforward to show that, the linear space of polynomials in ccr,... with total degree at 
most D and degree at most p — 1 in each variable Xj is spanned as a basis (over any field) by the polynomials 
rj{a:i,..., ccn) with d G R<d, where R<d consists of tuples d with dj G [p — 1] for each index j and 
di + ■ ■ ■ + dn < D. Let Ro = R<d \ R<d-i- Now Theorem [3] shows that the minimal polynomial expression 
of (fii lies in the subspace spanned by the polynomials F^xr ,.. .,Xn) with d G Rpi, and the corresponding 
coefficients have a fairly simple expression. This fact inspires an alternative proof of Theorem [3] which does 
not rely on Lucas’ Theorem (nor an essentially similar argument in Remark [T|); note that this proof is also 
different from the one in the previous work by Boyar et al. [T] for p = 2. 

Another proof of Theorem\^ First, we assume (as seen in the next paragraph) that deg Pi(x 4 ,..., x„) < p*. 
Then ipi{xi,... ,x„) belongs to the above-mentioned linear space over Fp spanned by rj{x 4 ,... ,x„) with 
d G R<:pi. Let 7 j- be the coefficient of Fj{x 4 ,... ,x„) in the corresponding expression of (pi{xi,... ,x„). 
Moreover, we define a partial ordering ^ on the tuples of n non-negative integers in a way that d ^ d' if and 
only if dj < dj for every index j. Now for d, d' G R<pi, we have rj{d^,..., d(j) = 0 unless d < d', therefore 

ipi{d'i, ...,d'J=Y^ j^-Tjfd'i, ...,d'J . 

Based on this equality, since <Pi(d(,... ,d'„) = 0 for every d' £ i?<p »_4 by the meaning of ipi and we have 
rj{d 4 ,..., d„) = YYj^idj\ ^ 0 in Fp, a recursive argument implies that 77 = 0 for every d G i?<pi_ 4 . 
Moreover, by virtue of this property, for each d G Rpi, we have 

n 

1 = p*(d4,... ,d„) = 7 J-- Fj<d 4 ,... ,d„) = ]^dj! , 

i=i 

therefore 77 = YYj=i{^/dj\)^^'^. Hence ipi has the expression as in the statement of Theorem[3 

The remaining task is to show that deg (pi(x 4 ,..., x„) < pL The case i = 0 is obvious, therefore we 
consider the case i>\. We prove the claim by induction on n. The first case n = 1 is obvious; ipi{xi) = 0 
for i > 1. On the other hand, for the case when i = 1 and n = 2, the fact degip 4 (x 4 ,X 2 ) = p was proven 
in [ 7 ] (by an elementary argument without Lucas’ Theorem). For the remaining cases, the p-ary expression 

of (X 4 )z +z-l-z(x„_ 4 )z is {... ,(pi{xi,.. .,Xn-i)z, tfo{xi,... ,Xn-i)z)p, and degipi(x 4 ,... ,Xn-i) < p* by 

the induction hypothesis. Now by the meaning of ipi, we have (pi{xi,... ,x„) — ipi{xi,... ,Xn-i) G {0,1}, 
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and the case ^pi{xi ,..., x„) — (pi{xi ,..., Xn-i) = 1 occurs precisely when ipj{xi ,..., Xn-i) = p — 1 for every 
1 < J < * ~ 1 and ipo{xi, ■ ■ ■ ,Xn-i)z + (xn)z > P- For the former condition, degx[2/ = p— 1] <p — 1 
by Proposition [U therefore degxiPjixi,... ,Xn-i) = p — 1] < p’ip — 1) for each 1 < j < J — 1. On the 
other hand, for the latter condition, we have x[<po(®ii ■ ■ ■ ^Xn-i)z + {xn)i > p] = <Pi(<Po(a;i, • ■ ■, Xn-i), Xn), 
therefore deg xVpo{xii ■ • ■, + (a;„)z > p] < P- By these arguments, we have 

Pi{xi,. ..,Xn)- (fiiixi,. . .,Xn-l) 

i -1 

= XVPo{xi, . . .,Xn-l)z + {Xn)z > P] ’ H = P “ 1] 

i=i 


and 


2-1 

deg((pj(a;i,... ,a;„) - pi{xi,... ,Xn-i)) <P + ^P^{p- 1) = P* ■ 

i=i 


Hence we have deg(pi(a;i,... ,Xn) < p* by the induction hypothesis, concluding the proof. 


□ 


We also note that, when n = 2, Theorem [3] can be refined as follows (note that now pi = 0 for i > 2, 
since 2(p — 1) < p^): 

Theorem 4. In the case n = 2, for xi,X 2 £ Fp, we have 
P-i / \ (p> 

pi{xi,X2) = ^ (-1)'^^ ( ^ j - 1) • • • (a:i - di + I)x2{x2 - 1) ■ ■ ■ {x2 - [p - di) + 1) ■ 


Proof. First we note that (p — 1)! = (—1)^ (mod p); indeed, when p is odd, the set Fp \ {—1,0,1} can be 
divided into disjoint subsets of the form {a, q:“^} with a ^ a~^. For the formula in Theorem [3l we have 
d 2 = p — di for the indices di, (i 2 , therefore 1 < di < p — 1. Now we have 

( 1 ^ / (-i)p(p-i)! y^) ^ /(-i)P/p-ixyp) ^ /(^y^> 

\d 1 ld 2 l J V di!(p-di)! J \ di \^p-di)j \ di J 


where we used the fact that = (—1)“ (mod p) for any a € [p — 1]. Therefore the claim holds by 

Theorem [H □ 


3.2 Addition of p-ary Integers Based on Polynomials 

We show an algorithm for addition of p-ary integers ah = {ah.m ■ ■ ■Cih,iCLhp)p, h = 1,... ,n, based on the 
result of Section [3.11 which has applications to cryptology as mentioned in the Introduction. Here, as above, 
each digit ah,i of ah is represented by an element of Fp. First, let d be the smallest non-negative integer 
satisfying that (n -|- d)(p — 1) < p'^+^. Now we have 

ai -I-h a„ < n(p™+^ - 1) = nip - l)(p™ H-tp + 1) 

< p‘'+i(p™ -h • • • -h p 1) < p'^+i • p”^+i = ^”^+<^+2 , 

therefore the result of the addition c = ai-|-- • ■+an can be expressed by m-|-d-|-2 digits; c = (cm+d+i • ■ ■ ciCo)p, 
Ci € Fp. Then the digits of c and the carries £ Fp {0 < j <k<m + d+l, k < j + d) during the 
addition (p/jp means the carry to fc-th digit from the calculation at j-th digit) are calculated by using the 
algorithm shown in Figure [T] Note that we have Pkiai.i, ■ • ■, an,i,Xi-d,i, Xi-{d-i),i, ■ ■ ■, Xi-i.i) = 0 for fc > d 
by the above-mentioned property {n -|- d)(p — 1) < This implies that the algorithm calculates the sum 

of oi,..., a„ correctly. 

From now, we focus on the case of addition of two integers (i.e., n = 2). We note that, in this case, owing 
to the relation 2(p — 1) -|- 1 < p^, it suffices to consider the carries from each digit to the next digit only, and 
the value of each carry is either 0 or 1. Now the polynomials used in the algorithm above can be slightly 
simplified as follows: 






Figure 1: Algorithm for p-ary integer addition based on polynomials; here d denotes the smallest non-negative 
integer satisfying {n + d){p — 1) < 

Input: ah = {ah,m ■ ■ ■ ah,iah,o)p {h € n}, ah,i G Fp) 

Initialize the variables as ^ 0 
Forz = 0,l,...,m + (i+l Do: 

Set Ci i ; • ■ • ; — —1,*) 

/* Comment: Input variables oiy,..., an,i are ignored when i > m */ 

/* Comment: Input variables are ignored when i — j < 0 */ 

For k = 1,2,..., min{d, m + d + 1 — i} Do : 

Set i ■ • ■ ; 'Ji—dji'! ^i—{d—l),ii ■ ■ ■ ; T* —1,0 

End Do 
End Do 

Output C = (Cm+d+l • ■ • ClCo)p 


Figure 2: Algorithm for addition of two p-ary integers based on polynomials 


Input : Oh = {ah,m ■ 

. d/j, o)p 

0th,i € ^p) 

Set Co <r- Ol.O + 02,0; 

7o,i t— 

<Pl(oi, 0 ) 02 , 0 ) 


For z = 1,..., m Do : 




Set a -i— ai^i -F 02 

+ It- 

i,i and 7i,i+i <r- 

<p'(ai,j,a2,i,7i-i,i) 

End Do 




Set ^ Tm,771+1 




Output C = {Cm+l ■ ■ • 

ClCo)p 




Proposition 4. For Xi,X 2 G Fp and 7 G {0,1} C Fp, we have (pi{xi,X 2 ,j) = (p'{xi,X 2 ,j), where 

(p\xi,X 2 ,j) = (pi{xi,X 2 ) -F 7 ■ (1 - (xi + a ;2 -I- 1)^“0 • 

Proof. In the calculation of (xi)z -Fz( 0 : 2)2 -Fz 7 z, for each choice of xi,X 2 , the carry to the next digit for the 
case 7 = 1 is different from that for the case 7 = 0 if and only if xi + 0:2 = p — 1. Moreover, in the case 
xi + 0:2 = p — 1, the carry is 1 when 7 = 1 and it is 0 when 7 = 0, i.e., it is equal to 7 . Since the carry when 
7 = 0 is nothing but :pi(a:i,a: 2 ) for any a:i,a: 2 , we have 

<Pi(o:i,a:2,7) = '^’ 1 ( 2 ^ 1 , 2 ^ 2 ) + 7 ' x[2:i + 2:2 = p - 1] , 

while we have xl^i + 2 ; 2 =p — 1] = 1 — (xi + X 2 -F 1)^“^ by Fermat’s Little Theorem. This completes the 
proof of Proposition m □ 

Moreover, since ai + 02 < 2(p'"+^ ~ 1) < p(p"‘^^ ~ 1) < p™^^, the sum c = oi + 02 can be expressed by 
m + 2 digits; c = (cm+i ■ • • ciCo)p, Ci G Fp. Now the addition of ai and 02 can be calculated by the algorithm 
in Figure [21 

4 Polynomial Expressions of Carries for Multiplication 

In Section l4.ll we determine the minimal polynomial expression of the function '0i(a:i,... ,a:„) that yields 
the carry to the next digit in the integer multiplication (a:i)z Xz • • • Xz(a;„)z (see ([2|) in the Introduction for 
the precise definition of "^i). The other carry functions ipi to higher digits, i.e., with * > 2, are not considered 
here and are left as a future research subject. Here we assume p > 2, since the problem for the case p = 2 
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is trivial as mentioned in the Introduction (in fact, the assumption p > 2 is indeed used in our argument). 
Then in Section [4.21 we discuss an algorithm for multiplication of p-ary integers where each step is composed 
of polynomial evaluations. 

4.1 The Results 

Here we determine the minimal polynomial expression of the function ... ,Xn) defined above for p > 2. 

The result is as follows (restatement of Theorem [2] in the Introduction): 

Theorem 5. Let p he an odd prime. Then the minimal polynomial expression of ^pl{xl,... ,Xn) is given by 


1pl{xi, ...,Xn) = Xi---Xn 



Xn) - ^ ^'(a^j) + {n- 1)4(1) j 


where 4(t) is a polynomial defined by 


(4) 


p-2 


m = E 


2 = 1 


p — 1 — i 


(p) (p~3)/2 

E 

i=l 


Bp-l-2i 

p — I — 2i 


ip) 


.2i I P l^P-2 


+ 


(see Section\^for the notation for a G QJ. We also have 


4(1) = (u;p)<J>> = (^i?p_i + i-l) 


(p) 


(5) 


( 6 ) 


where Wp = ((p — 1)! + l)/p is Wilson’s quotient. 

We recall that we are using the convention Bi = —1/2 (rather than Bi = 1/2) for the Bernoulli numbers 
Bi, i.e., f/(e* - 1) = Em>o Brnt’^/ml. By this and the fact that Bi = 0 for odd indices £ > 1, the second 
equality in ([5]) follows immediately from the first equality. On the other hand, the second equality in (|6]) is 
nothing but the following known relation [3]: Wp = Bp-i + 1/p — 1 (mod p) for any prime p. 

We divide the remaining proof of Theorem [5] into the following three steps: 


Lemma 2. In the situation of Theorem\^ if n = 2, then the funetion ip\{xi,... ,Xn) can he written as (|4]) 
for some polynomial 4 (t) of degree at most p — 2 with no constant term. 

Proof. By Proposition [1] we can write ifi(x,y) uniquely as il)i{x,y) = jLo with aij G Fp. Note 

that aij = since the multiplication is symmetric. From now, we investigate the coefficients 

First, note that ipi{x, p) = 0 if p = 0. This implies that ipi{x, 0) = is the minimal polynomial 

expression of the zero function, therefore it is the zero polynomial by Proposition[T] Hence, we have o = 0) 
therefore ao.i = 0, for any index i. 

Secondly, for any x,y, z G Fp, we have 


(xz xi.yz) xzzz= {ipiix,y)z Xzp+z(a:p)z) Xz^z 

= {ipiix,y)zxzzz) xzp+z{xy)zxzzz 

= {ipi{x,y) ■ z)^ XzP+zZi{xy,z)z Xzp +z{{xy)z)z (mod p^) 
= {i’i{x,y) ■ z + il)i{.xy,z)).^Xzp+z[xyz)z (mod p^) , 


and similarly 


xzxz{yzxzzz) = {x-'ifiiy,z) + i’iix,yz)).^xzp+zixyz)z (mod p^) . 


( 8 ) 
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By the associativity of multiplication, o and ([5|) are equal to each other. Hence, by comparing the digits 
at the ’s places of 0 and dSl), we have 

tpiix^y) ■ z + il)i{xy,z) = X ■ + ij)i{x,yz) iov mYy x,y,z , (9) 

therefore, for any x,y,z € Fp, we have 


p —1 

aijx^y^z+ a^jx^-y'-z^ = aijxy^’z^ + aijX^y^z^ . ( 10 ) 

ij = l i,i=l ij'=l j.i=l 

Since the degrees of the both sides with respect to each variable are at most p—1, Proposition [T] implies 
that these are equivalent as polynomials. Then, for i,j > 2 with i ^ j, by comparing the coefficients of 
x^y^z in both sides of we have aij = 0. On the other hand, for i > 2, by comparing the coefficients of 
in both sides of (fTUl) . we have ai^i + = 0, therefore We also have ai^i = —aiy by the 

symmetry. Summarizing the argument above, we have 


'4’i{x,y) 


p-i 

aipxy + ai^i {x'-y'' - x^y - xy'-) 


2 = 2 

xy{^{xy)-'i'ix)-'^{y)+ais) , 


( 11 ) 


where we define := X)r=i which is a polynomial of degree at most p — 2 with no constant 

term. Now we have 

0 = V'i(l, 1) = ^'(1) - «'(!) - «'(!) + ai.i = ai.i - «'(!) , 
therefore am = lb)!). Hence Lemma [5] holds. □ 

Lemma 3. In the situation of Theorem\^ for any n> 1, the function tjji{xi,... ,x„) can be written as (|3]) 
for some polynomial 'h of degree at most p — 2 with no constant term which is independent of n. 

Proof. For the case n = 1, we have 'ifi{xi) = 0 by the definition, while the right-hand side of (|1]) becomes 
zero for an arbitrary choice of d/. Therefore, the claim is trivial when n = 1. The case n = 2 has been shown 
in Lemma [2] We prove the claim for the case n > 3 by induction. We have 

{xi)i Xz • • • Xz(a;n-i)z Xz(a;„)z = ((a;i)z Xz • • • Xz(a;n_i)z) Xz(a;„)z 

= [iii{xi,.. .,Xn-i)z Xzp-l-z(a:i • ■ ■ Xn-i)i) Xz(a;„)z (mod p^) 

= '0i(a;i,... ,a;„_i)z Xz(a;„)z Xzp-|-z(a;i ■■■Xn-i)i Xz(a;„)z . 


Now we have 

V’i(xi,..., x„_i)z Xz(x„)z = (V’i(a:i,..., Xn-i) ■ (mod p) 

and 

(cci ■ • •a;„_i)z Xz(a;„)z = ■i/'i(a;i ■ • ■a;«-i,a;„)z Xzp-l-z(a;i • • •a;„)z (modp^) . 

Since oz -fz = (« + &)z (mod p) for any a, 6 S Fp, the combination of the equalities above implies that 

(a;i)z Xz • • • xz(x„_i)z Xz(a;„)z 

= (V'i(a;i,... ,x„_i) • Xn + V'i(a^i • ■ ■Xn-i.Xn)).^ y.i.P+i.{xi ■ ■ ■ Xn)z (mod p^) , 
therefore we have 

-lpl{xi,. ..,Xn)= Iplixi, . . .,Xn-l) ' Xn + 'f’lixi ■ • •X„_i,X„) . 
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Now the induction hypothesis implies that the right-hand side is equal to 


Xi ■ -'Xn-l ■ --Xn-l) - ^ 'i’ixj) + (u - 2 )^'( 1 ) 

-I- {xi ■ ■■Xn-l)Xn{^iixi ■ ■ ■ Xn-l)Xn) - ■ ■ ■ Xn-l) “ + ^'( 1 )) 


= Xi---Xn 1 ^'(xi ■■■Xn)-^ ^'(Xj) + {n - 1)4'(1) 

i=i 


as desired. Hence Lemma [3] holds. □ 

Before moving to the final step of the proof of Theorem [SJ we note some properties of the Bernoulli 
polynomials Bm(x), which is defined in terms of the Bernoulli numbers = Bi(0) £ Q by 


= (12) 
s=0 ' 

First, we note the following consequence of the von Staudt-Clausen Theorem (see e.g., Chapter 15 of [1]): 

Proposition 5. For any even integer £ > 0, the denominator of B^ is the product of all primes q for which 
q — 1 divides 1. 

By Proposition [5] and the fact that Bq = 1, Bi = —1/2 and Be = 0 for every odd index £ > 1, it follows 
that, for any odd prime p, the denominators of Bq, Bi, ..., Bp-a are all coprime to p. Hence, Lemma [1] 
can be applied to the Bernoulli polynomials Bm{x) with 0 < m < p — 3. In particular, for a, 6 £ Q with 
denominators being coprime to p, if 0 < m < p — 3 and , then we have 

Bm{a)<P^ = BjP^a^P^) = BjP\b<P^) = B„,{b)<P^ . 

Secondly, it is known (see e.g.. Chapter 15 of i) that, for any positive integers m, N, we have 


\2k^ = ^—{Bm+i{N + l)-Bm+i) . (13) 

—' m -|- 1 


Finally, we use the following property in the argument below (see e.g.. Chapter 15 of my- 
Proposition 6. For integers to > 1 and n > 0, we have 


m — 1 

Bn{mx) = ^ Bn 



Proof of Theorem O By Lemmas [3] and [31 the remaining task is to show that the polynomial df (t) = 
J2^Zi PX specified in Lemma [2] satisfies that Pi = (Hp_i_i/(p — 1 — for every index z, and to show 

the relation d'(l) = {wp)^P'> at the last of the statement. We use the expression of '0i(x,p) as in (|3]) which 
has been proven in Lemma [3] 

Let ^ be a primitive root modulo p. Then for each index 1 < z < p — 2, the coefficient of in 
'01 = Cx('I'(^x) — d>(x) — il'(^) -l-il'(l)) is Pi^{C ~ !)■ Oil file other hand, for each integer 0 < /c < — 1, 

we have tpi{x,^) = fc if |"fcp/^z] < xz < |"(fc -|- l)p/^zl — 1- Therefore, we have 


0l(x,C) 


5z-i r(fc+i)p/5zi-i 5z-i r(fc-i-i)p/5zi-i 

= k-x[x = z]=J2 H k-{l-{x 

k=l z=|'fep/{z] k=l z=rfep/&l 


z)P-^) . 


12 



The coefficient (in Fp) of in the right-hand side is 


5z-i r(fc-Hi)p/«zi-i 

-E E ^ 

fc=l z=\k'plii'\ 


p -1 

i + 1 


«z-i r(fc+i)p/«zi-i 

fc=l z=('fcp/{z] 


where we used the fact (^_|_|) = (—(mod p) (note that now (—1)^ ^ = 1). By the argument above, we 
have 

{z-i r(fc-Hi)p/«zi-i 

Mic -1) = - E E ■ 

k^l z^lkp/^^] 

For the right-hand side, we have 








o-z-2 


A:—1 \ z—1 


= EM E 


„p-i-2 


- E 


p-i-2 


2 = 1 


p-1 


^z-1 r^p/czi-1 




2 = 1 k — 1 2 = 1 

To compute the first term of the right-hand side, we have the following equality in F^: 


p-2 P-2 f - 1 

^ =^(e^)^= e-1 


zSFpXfO} 


i=0 


e=o 


I p — 1 = —1 


= 0 (for 1 < j < p — 2 ) 

(for j = 0 and j = p — 1 ) 


(14) 


where we used the fact that C ^ 1 for 1 < j < p — 2 and (O^ ^ = 1 (by Fermat’s Little Theorem). 
Therefore, we have 

5z-i ^fcp/^zl-l 


Ae(r-i) = x[i=p-2]-(e-i) +E E 

A:=l 2=1 

For the case l<i<p — 3, by applying the fact (IT^ . we have 


yP-i-2 


(15) 


' ?Z-1 [fep/Szl-l 

E E 

k—1 2=1 


<p> 




HE 


1 


, fe=l 


p — 1 — i 




kp 


p — \ — i 


(p) Az-i 

(E/ ^p-i-* 
V fc=i 


kp 


1 \ (P) 


(p) 


-(e-l)(i3p-i-.) 


(p> 


For each index 1 < fc < — 1, let <5^ denote the remainder (in the range [^z — 1]) of kp modulo ^z- Then, 
since ^z is coprime to p, (5i is a generator of the additive cyclic group Z/^z^- This implies that the 5k are 
all distinct and {Si, 82 , ■ ■ ■, = {1, 2,..., ^z — !}• Moreover, for each index 1 < fc < ^z — 1, we have 

\kp/^i,] = kpjii + (^z - 5k)li% by the definition of 4, therefore 


kp 


(p> 


kp , i%-5k 




kp) 


( 16 ) 


This implies that 


^z —1 

E Bp-i-i 

fc=i 


kp 


1 \ (p> &-1 


— E kip-l-i 

k=l 
5z—1 

= E Bp-i-i 


Cz - 5k 


(p> 


k=l 


P \ (p) / P 

^ -E ^ 


fe=i 


<p> 
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therefore 


&—1 

Bp-i-i 

k=l 


kp 


1 \ (p'> 


?z —1 




k =0 


(p) 


){p) 


Moreover, by setting x = 0, m = and n = p—1 — i in Proposition [51 it follows that 

fa — 1 / 7 

-1 


therefore (since ^ = 1 in Fp) 




Summarizing, the right-hand side of (1151) is equal to 

(p) 




(P> 


therefore (since ^ ^ 0 and ^ 1 by the choice of we have Pi = {Bp-i-i/{p — 1 — as desired. 
On the other hand, for the case i = p — 2, we have 


fa-1 ffep/fal-i 


(p> 


^z —1 


^-1 + E E 


p-i -2 


k —1 z —1 


fc=l 


=«-i + E( S -d =E 






where we used the property (fT6l) . Since { 61 , 62 : • ■ •, 6 ^^-i} = {1, 2,..., — 1} as shown above, we have 


^Z —1 




£'f^v'’=rf s 


(p> 




,fc=i 


- 1 


(p> 


Hence, by (IT5]) and the fact ^ = 1, we have 


/3p_2(l-e) = 


- 1 


(p> 


therefore, since ^ ^ 1 and Bi = —1/2, we have Pp -2 = (—1/2)^^^ = BpP\ as desired. Summarizing, the 
equality (O is now proven. 

Finally, we show that 'I'(l) = {wp)^P'>. By using the relation (jH) with n = p, for any x S Fp \ {0}, we 
have (in Fp) 

^i(x ,... ,x) = x^{'^{x^) — p ■ 'I'(x) + {p — l)'I'(l)) = x('I'(x) — d('(l)) . 

p 

This implies that 

iP = {xP)z+z'P’i{x,...,x)zXzP = xz+i.xz>^z{'^{x)-'^{l))zXzP (modp^) , 


p 


therefore 


^'(x) - ^'(1) = 


V p 


(p> 


= qp{xz) 


(p> 


(17) 
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Table 1: Some Bernoulli numbers Bi\ note that = 0 for odd indices i > 1 


£ 

0 

1 

2 

4 

6 

8 

10 

12 

14 

16 

Bi 

1 

-1/2 

1/6 

-1/30 

1/42 

-1/30 

5/66 

-691/2730 

7/6 

-3617/510 

Be/i 


-1/2 

1/12 

-1/120 

1/252 

-1/240 

1/132 

-691/32760 

1/12 

-3617/8160 


Table 2: Some Wilson’s quotients Wp modulo primes p; recall that 'I'(l) = Wp (mod p) 


P 

3 

5 

7 

11 

13 

17 

19 

23 

29 

31 

Wp mod p 

1 

0 

5 

1 

0 

5 

2 

8 

18 

19 


where qp{x) = (pf ^ — l)/p denotes the Fermat quotient. We use the following relation between the Fermat 
quotient and Wilson’s quotient [5]: 

p-i 

qp{a) = Wp (mod p) . 

a—1 


By this relation, we have 


p—1 P~2 p—1 

= y^(^(a;) - ^(1)) = X! - (p - 1)«'(1) = 0 + ^'(1) = «'(!) (mod p) 

x—1 x—1 i—1 x—1 


as desired, where we used the equality (fTdll . This completes the proof of Theorem [3 □ 

We note that the minimal polynomial expression of a general function (Fp)" —>■ Fp consists of p" 
monomials in the worst case. In contrast, the polynomial expression of ipi given above consists of only 
(n + l)(p — l)/2 + 1 monomials, which is significantly fewer than the worst-case number p" of monomials. 

Remark 2. The expression ([4]) of ipi in terms of the auxiliary function and a “meaning” of 'h can be 
interpreted from a more algebraic viewpoint. See the Appendix below for the detailed observation. 

Example 3. We compute the polynomials 4'(t) and ipi^x, y) for some small odd primes p. For the case p = 3, 
d'(t) has only the highest term 4'(t) = (p — l)/2 • = t, therefore 


y) = xy{xy - X - y + 1) = x{x - l)y{y - 1) for p = 3 . 


For the other p, we quote from A000367 and A002445 of [5] some values of Bernoulli numbers (Table [T|), and 
from A002068 of [5] some values of Wilson’s quotients; the polynomials 4'(t) are then calculated by using 
Theorem [5] and Tables [T] and [2] 

For p = 5, we have 


/ 1 \ 

= \2t^ +=2t^+ 3t'^ ,=0 , ilJi{x,y) = xy{'i>{xy)-'i/{x)-'i/{y)) . 
For p = 7, we have 

/ 1 1 \ 

+ 3t^ - , 

4'(1) =5, 'ipi{x,y) = xyi'^ixy) - 4'(a;) - 4'(p) -b 5) . 

For p = 11, we have 

M/(t) = f - —tA + , 

^ V 12 120 252 240 y 

4'(1) = 1 , 'ipi{x,y) = xp(4'(xy) - 4'(a;) - 4'(p) + 1) . 
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For p = 13, we have 
1 


1 


- —f + 


1 




1 


-J^ + 


1 


-r 


( 13 ) 


= + 4t« - 5t^ + 2t^ - 6t" 


.10 


12 120 252 240 132 

4'(1) = 0 , ipi{x,y) = xyi'^ixy) - 4'(a;) - 4'(y)) . 

For p = 17, we have 


= ( 8^15 + - —il2 + ^ilO _ ^^8 ^ J_^6 _ 

^ \ 12 120 252 240 132 32760 12 

= + 8t® + 4t® + - 7t^ , 

4'(1) = 5, V’i(a;,y) = xy['^{xy) - 4'(a;) - 4'(y) + 5) . 

For p = 19, we have 


( 17 > 


1 


1 


1 


1 


691 


'l'(i) = ( 9<^’^ H--H--H- — 

\ 12 120 252 240 132 32760 

= 9^^"^ + + 3t^'‘ + 4t^2 - 8i^° - + 3i® + 8^^ - ht^ , 

4'(1) = 2, 'tlJi{x,y) = xyi'Sixy) - 4'(a;) - 4'(y) + 2) . 


r + —r - 
+ 12 


3617 

8160^ 


( 19 ) 


4.2 Multiplication of p-ary Integers Based on Polynomials 

Here we show two algorithms for multiplication of two p-ary integers au = (ah^mu ■ ■ ■ o,h,icih,o)p, h = 1,2, 
based on the result of Section l4Hl where, as above, each digit ah^i of an is represented by an element of Fp. 
The advantage of the first algorithm is that we need the carry function tpi to the next digit for addition but 
do not need the carry functions tpk to higher digits k > 2 which are more complicated. On the other hand, 
the advantage of the second algorithm is that it seems more appropriate for parallel computation. As in 
Section l4Tl we assume p > 2. 

For our first algorithm, note that the product c = 0102 can be expressed by mi + m 2 + 2 digits; c = 
(cmi+m 2 +i ■ ■ ■ ciCo)p, Ci G Fp. Then the digits of c are calculated by the algorithm shown in FigurelH where 
7 means an auxiliary variable for the carry at each digit to the next digit. We note that, for each indices 
i,j, we have 

(ai.i)z Xz(a 2 y)z +z{ci+j)z +z < {p - 1 )^ + 2 (p - 1 ) = - 1 , 

therefore the value appearing in updating the {i + j)-th digit can be expressed by two digits and the poly¬ 
nomials pk for k >2 are not needed. Now it follows that the algorithm calculates c = 0102 correctly. 

On the other hand, our second algorithm to calculate the digits of c = 0102 is shown in Figure ID Here 
we note that, for the latter loop for i = 0 , 1 ,..., since we have n{p — 1 ) < p" for any integer n > 1 and any 
prime p, the total number of elements in the lists Ak with k > i is strictly decreasing when i is incremented 
during the loop. This implies that the algorithm always stops within a finite number of steps, therefore the 
algorithm calculates c = 0102 correctly. 


Appendix: Algebraic Observation for the Proof of Theorem [5] 

In this appendix, we revisit our proof of Theorem [5] from algebraic viewpoints, as mentioned in Remark [2l 
Let p be an odd prime. First, we consider the following exact sequence 

1 ^ 1+pZ/p^Z ^ {Zjp'^ZY (Fp)^ ^ 1 

and a section A (Fp)^ 9 a; !->■ x G iZ/p^Z)^ which is a composition of the map a ^ ai followed by the 
natural projection Z Zjp^Z. Note that the group action of (Fp)^ on 1 PpZjp^Z associated to the 
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Figure 3: First algorithm for multiplication of two p-ary integers based on polynomials 


Input . Qfi — {Oyh,mh ' ’ ' ^ { 1 ; 2 }, CLh,i ^ ^p) 

Set Co ^ ai,oa2,o, 7 l/’i(ai,o, 02,0) 

For 1 = 1,..., mi Do : 

Set Ci <r- 01 , 102,0 + 7 

Update 7 by 7 ^ V’i(oi,i, 02,0) + pi (01,^02,0, 7) 

End Do 

Set ci,mi+i ^ 7 
For j = 1, , m2 Do ; 

Update Cj and 7 by (0^,7) ^ (01,002,j + Cj,V'i(01,0,02,j) + (pi(ai,o02,j, Cj)) 

For i = 1 ,..., mi — 1 Do: 

Update Ci+j and 7 by {c,+j,j) ^ (oi,i02,j+Ci+j+7, V^i(ai,1,02,j)+(pi(ai,j02,j,€1+^,7)) 

End Do 

Updat© Cj 7 T,i+j by ^ H“ T 

SGt ^ ) ~^'^1 ^ 2,_7 5 , ^) 

End Do 

Output C = {Cnii+m2 + l ■ ■ • ClCo)p 


Figure 4: Second algorithm for multiplication of two p-ary integers based on polynomials 
Input . dfi — (.^h,mh ' ' ' 0/i,lOlj,o)p (^ £ {1, 2}, 0 / 1,1 ^ ^p) 

Initialize the lists ^o,^i,^ 2 ,--- Fo be empty 
For 1 = 0,..., mi Do : 

For j = 0,..., m 2 Do; 

Append Oi,ia 2 ,j to the list ^i+j 
Append ■!/)i(ai,i, a 2 ,j) to the list 7li+j+i 
End Do 
End Do 

For 1 = 0,1,... Do 

If Ai is empty, then output c = (ci_i .. .CiCo)p and stop 
Enumerate the elements of Ai as ai,..., «„ 

Set Cl ^— Oil -|- • • • 4“ Oin 

For j = 1,..., max{fe € Z | n(j) — 1) > p^} Do: 

Append (pj(ai,..., «„) to the list j4i_|_j 
E nd Do 
End Do 
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group extension above is trivial, since is Abelian. Then, by the general theory of cohomology of 

groups, the map (Fp)^ x (Fp)^ —>• (Z/p^Z)^, {x,y) !->■ xy/Jp, has values in the subgroup 1 +pZ/p^Z and 
gives a 2-cocycle, hence an element of i/^((Fp)^, 1 -|-pZ/p^Z). Since xzyz = {xy)i + '0i(a;,y)z • p, we have 

xyjxy = 1-1- ('0i(a:, t/)z/(a;y)z)'^ ■ P- By mapping this via a group isomorphism 1 -|-pZ/p^Z —> Z/pZ, 

a !-)• (a — l)/p, we obtain a 2-cocycle (Fp)^ x (Fp)^ —> Z/pZ given by 


(Fp)x X (Fp)>< 9 (a;,y) ^ 


V {xy)i. 


(p) 


xy 


s z/pZ . 


(18) 


The property ([H]) for x,y,z G (Fp) ^ is now derived by the definition of 2-cocycles (for the trivial group action). 
We note that the property Q for the remaining case where some of x, y, z is zero follows immediately from 
the meaning of tpi. Moreover, since (Fp)^ and Z/pZ have coprime orders, we have i?^((Fp)^,Z/pZ) = 0 by 
Schur-Zassenhaus Theorem. In particular, the 2-cocycle (ITSl) gives a zero element of iJ^((Fp)^,Z/pZ) and 
hence is a coboundary (for the trivial group action), namely, 

=¥(x)+W(y)-¥(xy) (19) 


for a function d/: (Fp)^ ^ Z/pZ. Now we have dt)!) = '0i(l,l) = 0. Then the expression (g]) of tjji for 
n = 2 is deduced by extending the domain of the function dt from (Fp)^ to Fp and normalizing it in such 
a way that d/(t) = vl/(0) — d>(t), i.e., 'I'(l) = 'I'(O) and 'l'(t) = 'I'(l) — 'l'(t). We note that such a function 
(Fp)^ —Z/pZ satisfying (fT^ is uniquely determined. Indeed, the I-cocycles (Fp)^ —>• Z/pZ are group 
homomorphisms since (Fp)^ acts trivially on Z/pZ, while we have Hom((Fp)^,Z/pZ) = 0 since (Fp)^ and 
Z/pZ have coprime orders. Therefore, the difference of any two such functions, which is a I-cocycle, is the 
zero map as mentioned above. 

To investigate the function 'h further, we consider another section [•]: (Fp)^ ^ (Z/p^Z)^ defined by 
[x] = (x)P (note that [x] = x^ = x (mod p) by Fermat’s Little Theorem). This is a group homomorphism 
(hence, it is the Teichmiiller lift of the projection (Z/p^Z)^ ^ (Fp)’^), since xy = ^ + tj;i{x,y) -p (mod p^) 
and hence (xy)^ = (Jy)^ (mod p^) by the binomial theorem. We consider the difference x[x\~^ G I-fpZ/p^Z 
of the two sections ~, [■]. By mapping this via the isomorphism I -|-pZ/p^Z —^ Z/pZ above, we obtain the 
map 

a: (Fp)^ —>■ "L/pl, a{x) = - 

Now, by the homomorphic property of [•], for any x,y G (Fp)^, we have 

^ (xy[x]~^[y]~^ - 1) - (xy[a:y]~^ - I) \ 

P ) 


= {[xy] 


{x[x] i-l)(y[y] i-l)-h(a;[x] ^ - I) + (y[y] ^ - I) - (xy[xy] ^ - I) 


(p) 




Since x[x\ ^ — 1 = y[y] ^ — 1 = 0 (mod p), the rightmost side is equal to 


xy] ■ 


(a;[a;] - 1) + (y[y] - 1) - (a;y[a:y] - 1) 


(p) 


therefore ipi{x,y)/{xy) = a(x) + a{y) — a{xy). Hence we have 


tE'(a;) = a{x) = 


x\x\ ^ — I 


(p> 


= xy{a{x) + a{y) - a{xy)) 


for X G (Fp)^ 
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by the uniqueness of 'I' mentioned above. This gives a “meaning” of the auxiliary function T (and its 
normalized version '!') as the difference of the two sections ~ and [•] in the group extension above. 

For any a S Fp \ {0, —1}, we have a + 1 = a + 1 and 


(a + l)«'(a + 1) 


fl + 1 — [a + 1] 


(p) 


(a - [a]) + ([a] + 1 - [a + 1]) 


(p) 


= a'l>(a) 




therefore 


(a + l)'l>(a + 1) — ad>(a) 


1 — [a' 


<p> 


( 20 ) 


Intuitively, the differential equation (1201) involving the power function [a] = (a)^ can be seen as the source 
of Bernoulli numbers appearing in the expression of tpi , since Bernoulli numbers have close connections to 
power sums (cf., (fOll b Now for x € (Fp)^, by summing up ((^ for a G 1, 2,..., x — 1 and by using the fact 
'I'(l) = 0, we have 

^■^(a:) = • gp(x)<P> 


where qp{x) = {xP~^ — l)/p denotes the Fermat quotient. Hence, the relation (|T7)) of the auxiliary function 
dl to the Fermat quotient can be derived from the “meaning” of d)* itself mentioned above, without using the 
original function ipi. 
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